HIDDEN WEB CRAWLING FOR SQL INJECTION DETECTION
With the development of web technology, the web application has become an important part of our lives. And because of the widely exposed feature of web application/services, any web security vulnerability will mostly be observed and be exploited by hackers. Many the traditional web security scanners 10, 13, 24 have low pages coverage and can’t detect the SQL injection vulnerabilities exist in hidden web pages automatically. In this paper, we propose a mechanism of SQL injection vulnerability detection based on hidden web16, 18 crawling and implement a detecting system with the purpose of raising the web page coverage and enhancing the SQL injection vulnerability detecting ability of web scanner. We combine authentication with the crawler model, and find SQL injection vulnerability by simulating web attacking and analyzing the data of response. In addition, we also did two experiments, one is to compare the coverage of our tool with other three tradition scanners 10, 13, 24 by detecting three common public web sites, and the result shows that the system we implemented can retrieve hidden web pages and its page coverage is larger than other three scanners; Another experiment shows that the ability to find SQL injection vulnerability in hidden web pages is enhanced. And the result of experiment 2 verified that our detecting system can find SQL injection vulnerabilities in hidden web pages automatically and have lower false positive.
SQL Injection Hidden web crawler Web Scanner Web security vulnerability
Xin Wang Luhua Wang Gengyu Wei Dongmei Zhang Yixian Yang
Key Laboratory of Network and Information Attack & Defence Technology of MOE, Beijing University ofP Key Laboratory of Network and Information Attack & Defence Technology of MOE, Beijing University of
国际会议
北京
英文
14-18
2010-10-26(万方平台首次上网日期,不代表论文的发表时间)